As cybercrime continues to impact businesses around the world, it’s more important than ever to protect sensitive consumer data. Cybersecurity regulations, like the Gramm-Leach-Bliley Act (GLB Act), are meant to aid in this effort by requiring businesses to be compliant. In one of the Federal Trade Commission’s (FTC) most recent rulings, automotive dealerships are now required to follow the automotive cybersecurity guidelines specified in the GLB Act.
Automotive Cybersecurity Compliance Guidelines
On Oct. 27, 2021, the FTC announced new updates to its Safeguards Rule under the GLB Act. The goal of these updates is to strengthen security around consumer financial information. These changes are the result of a multi-year process aimed at fighting the ever-rising uptick of data breaches.
While the GLB Act mostly affects the financial industry, this regulation is also going to have a big impact on the dealership community. Due to the fact that dealerships possess credit card numbers, social security numbers, and more, they have been lumped in and are required to remain compliant. Essentially, thanks to the recent changes to the Safeguards Rule, dealerships are now considered to be financial institutions.
What Is the GLB Act?
The GLB Act is a Federal law that requires financial institutions to detail how they share and protect private consumer data. It was originally signed into law back in 1999. The main data protection guidelines can be found in the Safeguards Rule, with additional security requirements outlined in the Financial Privacy Rule.
How Compliance Works
The Safeguards Rule states that financial institutions must create a written information security plan. That plan must describe the cybersecurity program you’re using to protect private consumer data. It also mentions that the cybersecurity program you implement must be customized according to the size of your business, your operations, complexity, and the level of sensitivity of the information.
To achieve full compliance, you must:
- Have one or more employees coordinate your cybersecurity auto dealership program.
- Identify and assess risks to customer information and evaluate your security posture.
- Regularly monitor and test your cybersecurity.
- Choose a managed services provider that can maintain your cybersecurity.
- Evaluate and adjust the program after changes in your company.
It’s important to keep in mind that achieving compliance is only the first step. After you reach compliance, you are expected to maintain it and adjust according to any changes in the rules.
What Are the Penalties?
The FTC is serious about protecting consumer information, so it should come as no surprise that there are serious consequences. A business that’s non-compliant could face:
- $100,000 fine levied against the company per violation
- $10,000 fine imposed on the individuals in charge of the company
- Up to five years of prison time for individuals in charge
What Does This Automotive Cybersecurity Compliance Law Mean for You?
All dealers that are subject to the GLB Act must comply with the new rules when they go into full effect. Otherwise, you could open your company up to costly private lawsuits and/or be forced to pay severe fines. If you want to protect your business, you need to implement cybersecurity solutions immediately.
Although all of this may sound troublesome, it’s not as bad as it sounds. What’s important to note is that the GLB Act is most concerned about three specific things:
- Informing consumers about the information you’re collecting on them
- Informing consumers how their information is going to be shared
- Allowing consumers to “opt out” of information sharing where possible
In the end, this regulation won’t get in the way of your normal business operations. It’s not usually a violation for a business to share sensitive consumer information with a legally affiliated business. For example, if your dealership is owned by a parent company, it would not be a violation to share your customers’ data with them.
The real weight of this law is going to be felt with any non-essential sharing of information—for instance, if you plan on giving or selling your clients’ information to another business (i.e., telemarketers). In this case, you would have to disclose your intentions and give your customers a chance to opt out.
Become Compliant Today!
Don’t simply achieve automotive security compliance, maintain it with ongoing cybersecurity services. CTMS is an industry-leading IT provider that offers a wide selection of IT solutions. With our cybersecurity services, our team can help your dealership achieve GLB Act compliance. We can even tailor our solutions to fit the needs of your business.
Contact us today to learn more.
